infinity0 7 months ago

Can anyone actually get this to compile? I failed last year, and it's still failing:

    $ CFLAGS=-fPIC make clean all
    rm -f *.o injector
    cc -fPIC -c injector.c -o injector.o -Wall
    injector.c:321:93: warning: excess elements in array initializer
      .start={.bytes={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}, .len=0},
    injector.c:321:93: note: (near initialization for ‘total_range.start.bytes’)
    injector.c:322:91: warning: excess elements in array initializer
      .end={.bytes={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}, .len=0},
    injector.c:322:91: note: (near initialization for ‘total_range.end.bytes’)
    injector.c: In function ‘inject’:
    injector.c:778:2: warning: asm operand 15 probably doesn’t match constraints
      __asm__ __volatile__ ("\
    injector.c:778:2: error: impossible constraint in ‘asm’
    make: *** [Makefile:38: injector.o] Error 1
  • rgovostes 7 months ago

    Seems like using immediate values in inline assembly operands can be fragile depending on what optimizations the compiler decides to apply. Try building with -ftree-ter in your CFLAGS, as suggested by

    • infinity0 7 months ago

      I figured it out, it's because Debian enables PIE and that somehow causes GCC not to be able to satisfy its own rules for allowing inline-assembly to modify %rsp to the value required by this program.

      • vectorEQ 7 months ago

        for these kind of low level things, it's best to turn off all compiler optimizations and os specific features. if you run gcc -V or something hten it will dump it's default flags for the distro you are on.

        What i ususally do is create a cross compiler with nothing enabled for these kinds of projects. This saves a lot of sifting and disabling options and optimizations.

        If you have a bunch of inline assembly and such things, optimizations can be really killing.

      • rgovostes 7 months ago

        You ought to update your pull request, then! I'm not sure why they don't accept regular issues.

        • sabas123 7 months ago

          Because this github release was only for talk and he has since moved on (albeit is still using it for other projects)

          The sifter isn't terrible intresting it self but could use a lot of chances. Like the ability to use multiple disassemblers. God that was such a pain to hack that one together.

  • iammyIP 7 months ago

    works when compiled with -no-pie on xubuntu 18.04

caf 7 months ago

The demonstration in Figure 7 of a program that executes a benign codepath on QEMU but malicious on baremetal - and the benign codepath is what shows up in the disassemblers they tested - is very neat.

  • pm215 7 months ago

    Note that "provide an emulation of an x86 CPU that is sufficiently true to the hardware that it is impossible for a guest program to distinguish it" is not a goal of upstream QEMU -- in part because we don't think it's actually possible. Don't trust TCG (pure-emulation) QEMU to contain a potentially-malicious piece of code, either...

  • tralarpa 7 months ago

    That's very cool. I am also surprised about the bugs discovered in disassemblers. You would expect that these kind of mistakes are quickly discovered. Or was the Intel manual wrong?

    Edit: Ah, they explain it in the last paragraph of that section.

panic 7 months ago

I love the visual design of the UI. It looks like something out of a hacker movie.

vectorEQ 7 months ago

this page fault trick to check insn len is awsome, this is such a good technique!

shinelive 7 months ago

Share a porn live link